Goodbye job applications, hello dream career
Seize control of your career and design the future you deserve with LW career

Medibank fails to block investigation into data hack

The Federal Court has dismissed Medibank’s attempts to shut down an investigation into the October 2022 data hack.

user iconNaomi Neilson 22 February 2024 Big Law
expand image

Justice Jonathan Beach refused the originating application to prevent the Office of the Australian Information Commissioner (OAIC) from proceeding with its investigation into the major data breach that compromised the personal details of 9.7 million Australians.

Medibank also failed to restrain the OAIC from making any determinations, which could include a requirement the insurance giant take steps to ensure appropriate procedures are in place.

If its investigation uncovers “serious and/or repeated interferences”, with Australia’s privacy laws, the OAIC also has the power to seek civil penalties of up to $2.2 million for each contravention.


In a recent ASX statement, Medibank said it expects its cyber crime costs to be between $30 million and $35 million in this financial year “for further IT security uplifts and legal and other costs related to regulatory investigations and litigation”.

In addition to the now Federal Court-approved OAIC investigation, Medibank is also facing several class actions and a $250 million penalty levied by the Australian Prudential Regulation Authority.

Maurice Blackburn principal lawyer Andrew Watson said the firm was carefully reviewing the breach to investigate whether Medibank’s customers were entitled to compensation.

“As custodians of customer’s personal health information, Medibank has a heightened responsibility to put in place greater safeguards to secure the personal and health claim information it collected from its customers, including appropriate security and monitoring systems to protect against unauthorised access or disclosure of that data,” Mr Watson said.

At the time of the hack, a group known as REvil demanded $15.6 million and threatened to leak the information online.

Late last month, three federal ministers said Russian man Aleksandr Ermakov was responsible for the attack and would be sanctioning him under Australia’s new cyber laws.

The Federal Court decision follows OAIC’s recent announcement it had opened an investigation into HWL Ebsworth’s hack.